GCP - Add Custom SSH Metadata

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Modifying the metadata

Mabadiliko ya metadata kwenye mfano yanaweza kusababisha hatari kubwa za usalama ikiwa mshambuliaji atapata ruhusa zinazohitajika.

Incorporation of SSH Keys into Custom Metadata

Katika GCP, mifumo ya Linux mara nyingi inatekeleza skripti kutoka Python Linux Guest Environment for Google Compute Engine. Sehemu muhimu ya hii ni accounts daemon, ambayo imeundwa ili kuangalia mara kwa mara kiunganishi cha metadata ya mfano kwa sasisho la funguo za umma za SSH zilizoidhinishwa.

Hivyo, ikiwa mshambuliaji anaweza kubadilisha metadata ya kawaida, anaweza kufanya daemon ipate funguo mpya za umma, ambazo zitawekwa na kuunganishwa kwenye mfumo wa ndani. Funguo hiyo itaongezwa kwenye faili ya ~/.ssh/authorized_keys ya mtumiaji aliye tayari au labda kuunda mtumiaji mpya mwenye ruhusa za sudo, kulingana na muundo wa funguo. Na mshambuliaji ataweza kuathiri mwenyeji.

Add SSH key to existing privileged user

Examine Existing SSH Keys on the Instance:

Tekeleza amri ya kuelezea mfano na metadata yake ili kupata funguo za SSH zilizopo. Sehemu inayohusiana katika matokeo itakuwa chini ya metadata, haswa funguo ya ssh-keys.

gcloud compute instances describe [INSTANCE] --zone [ZONE]

Angalia muundo wa funguo za SSH: jina la mtumiaji linatangulia funguo, likitenganishwa na koloni.

Prepare a Text File for SSH Key Metadata:

Hifadhi maelezo ya majina ya watumiaji na funguo zao za SSH zinazohusiana kwenye faili ya maandiko iitwayo meta.txt. Hii ni muhimu ili kuhifadhi funguo zilizopo wakati wa kuongeza mpya.

Generate a New SSH Key for the Target User (alice in this example):

Tumia amri ya ssh-keygen kuzalisha funguo mpya ya SSH, kuhakikisha kuwa uwanja wa maoni (-C) unalingana na jina la mtumiaji wa lengo.

ssh-keygen -t rsa -C "alice" -f ./key -P "" && cat ./key.pub

Ongeza funguo mpya ya umma kwenye meta.txt, ukifanana na muundo ulio katika metadata ya mfano.

Update the Instance's SSH Key Metadata:

Tumia metadata ya funguo za SSH iliyosasishwa kwenye mfano kwa kutumia amri ya gcloud compute instances add-metadata.

gcloud compute instances add-metadata [INSTANCE] --metadata-from-file ssh-keys=meta.txt

Access the Instance Using the New SSH Key:

Unganisha kwenye mfano kwa kutumia SSH na funguo mpya, ukipata shell katika muktadha wa mtumiaji wa lengo (alice katika mfano huu).

ssh -i ./key alice@localhost
sudo id

Create a new privileged user and add a SSH key

Ikiwa hakuna mtumiaji wa kuvutia anayeonekana, inawezekana kuunda mpya ambayo itapewa ruhusa za sudo:

# define the new account username
NEWUSER="definitelynotahacker"

# create a key
ssh-keygen -t rsa -C "$NEWUSER" -f ./key -P ""

# create the input meta file
NEWKEY="$(cat ./key.pub)"
echo "$NEWUSER:$NEWKEY" > ./meta.txt

# update the instance metadata
gcloud compute instances add-metadata [INSTANCE_NAME] --metadata-from-file ssh-keys=meta.txt

# ssh to the new account
ssh -i ./key "$NEWUSER"@localhost

SSH keys at project level

Inawezekana kupanua ufikiaji wa SSH kwa Mashine nyingi za Kijijini (VMs) katika mazingira ya wingu kwa kutumia funguo za SSH katika kiwango cha mradi. Njia hii inaruhusu ufikiaji wa SSH kwa mfano wowote ndani ya mradi ambao haujazuia wazi wazi funguo za SSH za mradi. Hapa kuna mwongozo wa muhtasari:

Tumia Funguo za SSH katika Kiwango cha Mradi:

Tumia amri gcloud compute project-info add-metadata kuongeza funguo za SSH kutoka meta.txt kwenye metadata ya mradi. Kitendo hiki kinahakikisha kwamba funguo za SSH zinatambuliwa katika VMs zote ndani ya mradi, isipokuwa VM ambayo ina chaguo la "Block project-wide SSH keys" limewezeshwa.

gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt

SSH kwenye Mifano kwa Kutumia Funguo za Kiwango cha Mradi:

Kwa funguo za SSH za kiwango cha mradi zikiwa mahali, unaweza SSH kwenye mfano wowote ndani ya mradi. Mifano ambayo haizuia funguo za kiwango cha mradi itakubali funguo za SSH, ikitoa ufikiaji.
Njia moja ya moja ya SSH kwenye mfano ni kutumia amri gcloud compute ssh [INSTANCE]. Amri hii inatumia jina lako la mtumiaji wa sasa na funguo za SSH zilizowekwa katika kiwango cha mradi kujaribu ufikiaji.

References

https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Compute Privesc NextGCP - Composer Privesc

Last updated 1 month ago